HashCat works almost exactly like Hashcash, but, instead of verifying email verifies the request has come from a human.

Here's a step-by-step guide on the HashCat algorithm:

The server generates a totally random string. This is embedded on the page through JavaScript.

The user generates a random number and appends this to the string. This can be a number, or a string, or anything at all.

The user hashes this using SHA-1 Or a more "intensive" hashing algorithm if required.

If the first four bytes of the hash are zero, it submits the form. It also sends the random number. On average, to calculate this, an estimated 200 million calculations are required. This takes about 2-10 seconds on an average desktop.

Server verifies by hashing and checking first four bytes. If they're all zero, the form is submitted. The session identifier should be reset.

Is it free to use?

Of course! The Internet would suck without free software. The JavaScript libriaries for HashCat are licensed under the MIT license. And the server-sided example scripts are completely public domain, mainly because they're so simple.

An added bonus is that you don't require the use of a third party server, like with reCAPTCHA (which could be a single point of failure). Another extra from this is it means Google can't spam your site!

This project makes use of tiny-sha1, with thanks to cloudgen.wong[at]gmail.com. This library is MIT licensed, but the code did not contain any copyright notice, so this shall serve as one.